b'                                             Report No. AUD-09-007                                                                              March 2009\n\n                                             Control Improvements Undertaken by the Division\n                                             of Information Technology to Ensure the\n   Federal Deposit Insurance Corporation     Confidentiality of Sensitive Email Communications\nWhy We Did The Audit                         Audit Results\nOn October 6, 2008, the Director of the\nFDIC\xe2\x80\x99s Division of Information               As reflected in the table below, the control improvements described in the DIT\nTechnology (DIT) issued a                    Memorandum were adequate, fully implemented, and generally operating as\nmemorandum to the FDIC Chairman              intended.\n(referred to herein as the DIT\nMemorandum), summarizing the status                                                                                                      Control\n                                                                                              Control                Control         Improvement is\nof control improvements intended to                                                       Improvement is        Improvement is        Operating as\naddress five specific email security               Issues in the DIT Memorandum             Adequate           Fully Implemented        Intended\nissues. The Director, DIT, requested         Issue #1 \xe2\x80\x93 Too many contractors have\n\nthe FDIC Office of Inspector General\n                                             administrator rights in the email\n                                             environment.\n                                                                                                 9                    9                     *\n(OIG) to assess DIT\xe2\x80\x99s actions to address     Issue #2 \xe2\x80\x93 Monitoring and logging of\nthe five issues. The Director, DIT, also\nseparately requested that the OIG assess\n                                             contractor administrator\xe2\x80\x99s access to email\n                                             accounts need improvement.\n                                                                                                 9                    9                    9\nDIT\xe2\x80\x99s efforts to use content filtering       Issue #3 \xe2\x80\x93 The process for encrypting\ntechnology for corporate email               sensitive email communications can be\n                                             cumbersome.\n                                                                                                 9                    9                    9\ncommunications. In response to these         Issue #4 \xe2\x80\x93 Contractors have administrator\nrequests, the OIG contracted with            rights, which could allow unauthorized\nKPMG LLP (KPMG) to audit these               access to email communications on\n                                             desktops, laptops, and the\n                                                                                                 9                    9                    9\nareas.                                       \xe2\x80\x9cU:\xe2\x80\x9d drive.\n                                             Issue #5 \xe2\x80\x93 Roles and responsibilities of\nThe audit objectives were to (1)\ndetermine whether the control\n                                             contractor staff operating the Enterprise\n                                             Vault need further review.\n                                                                                                 9                    9                    9\nimprovements described in the DIT            9 Completed.\nMemorandum were adequate, fully              * Although DIT implemented appropriate control improvements to address Issue #1, we were unable to fully\n                                             assess whether these control improvements operate as intended because they were recently implemented.\nimplemented, and operating as intended       The OIG may assess whether these control improvements operate as intended as part of its planned security\nand (2) assess DIT\xe2\x80\x99s efforts to leverage     evaluation required by the Federal Information Security Management Act of 2002.\ncontent filtering technology on\ncorporate email to mitigate the loss of      Although KPMG\xe2\x80\x99s work identified the need for additional control improvements to\nsensitive business data. As part of the      fully address the five email security issues contained in the DIT Memorandum, DIT\naudit, KPMG assessed the status of\n                                             took prompt action to implement these additional control improvements prior to the\nDIT\xe2\x80\x99s ongoing security control\nimprovements and the OIG-                    close of the audit.\nrecommended control enhancements\n                                             DIT completed a pilot implementation of email content filtering technology.\ndescribed in the OIG\xe2\x80\x99s August 2008\nreport, entitled Controls for Protecting     However, DIT temporarily discontinued the use of the email content filtering prior\nthe Confidentiality of Sensitive Email       to the start of the audit. Based on concerns KPMG raised during the audit, DIT\nCommunications (OIG Report                   developed a formal policy and configuration management plan to govern email\nNo. AUD-08-013).                             content filtering at the FDIC.\n\nBackground                                   KPMG\xe2\x80\x99s report summarizes the status of DIT\xe2\x80\x99s ongoing security control\n                                             improvements and the OIG-recommended control enhancements described in OIG\nThe FDIC uses email extensively to           Report No. AUD-08-013.\nexchange business information\ninternally and externally. The National\nInstitute of Standards and Technology\n                                             Recommendation and Management Response\nrecommends that organizations consider       KPMG recommended that the Director, DIT, implement content filtering technology\nthe use of email content filtering\n                                             on corporate email to mitigate the risk of loss of sensitive business data consistent\ntechnology to mitigate the risk of loss of\nsensitive business data.                     with NIST-recommended practices and the FDIC\xe2\x80\x99s policies and procedures.\n                                             Management concurred with our recommendation and plans to take responsive\nDIT has overall responsibility for           actions, subject to the concurrence of the FDIC Chairman.\nproviding email service to the\nCorporation and for maintaining the          This report addresses issues associated with information security. Accordingly, we\nFDIC\xe2\x80\x99s email infrastructure.                 do not intend to make public release of the specific contents of the report.\n\x0c'